Hi,
The EAP-Message doesn't appear to be encrypted on the initial packet from the ap to the server. Inside i see Type and Identity (containing my username. The username is also in the User-Name attribute)
that'll be your outer identity... which, as it is plain to see (pun definately intended folks), is why many people use some anonymous identity for protection..why give away some of your credentials? - eg anonymous@your.home.realm.com
But (imho) all the write-ups dont really explain what's going on. Myself, i don't understand what the authorize section and authenticate sections are supposed to do. Could somebody talk to the radius server directly without encryption using my settings? Can i specify what kinds of authentication i'll accept from users compared to the types of backend authentication i can do? I just find it hard to get my head around it...
authenticate = yes, you are who you are authorize = should you be using this? do we perhaps change the service you get (eg VLAN) if you've allowed people to talk to the RADIUS server, then they can...this is why you have eg the clients.conf (or clients SQL) to define *WHAT* NAS can talk to RADIUS server and what secret key they must have to talk to it. you can define whatever type of authentication that FR supports...depending on the eg username... alan